Cisco networking, SDN and security topics

TMG replacement dilemma – what is the best choice?

Now, in the time when Microsoft TMG EOL (End of Life) announcement are behind us, many of us still using it and think that it is one very good productJ. And we still use it and want it is still supported and developed but we have to think about replacing it with some alternative solution. There is one simple answer why we love TMG: now, after years of using it we learned much about it, how it works and what it can do for us. There are many useful jobs related to secure access to internet of our corporate users and access external users to our internal resources. There is much useful functionality in one product and it is one of rare product that acts as proxy and reverse proxy in one box. And it does those two jobs very good in the same time. On the market there is many products that do one of that two jobs well but it is hard to find products which do both of them well as TMG was and that makes dilemma: Do you want to give much many to replace TMG with two products (one proxy and one reverse proxy) or try to find product which support both of them but not so well as TMG. If we are looking for products which offer both proxy and reverse proxy functionality in same box we will find lack of some functionalities (for example lack of caching data). On the other hand we can find solution with two product which cover all TMG functionalities and get more of them which TMG doesn`t have, with more security features. But, for those solutions we need much more money in relation to cost of TMG server and we will have hard task to explain our management that kind of investmentJ. So what to do? Again, answer is simple: technically best solution is replace TMG with two product: one which we will put on our internal network segment and replace proxy function of TMG and second which we will put in out DMZ segment and replace reverse proxy and many other security features for publishing our internal servers. For proxy server functionality there is many products on the marked known as SWGs (secure web gateways) which can do great job for your company in securing access your internal users to the internet. Each of these products can replace TMG proxy functionality with all its features and add more additional features. But, migration from TMG has more difficulties for some of them compared to other. In my opinion, one product has some more advantages in migration from TMG compared to other. This is Blue Coat SWG. I concluded this after doing POCs for some of SWG products and for Blue Coat conclusion is that migration from TMG to Blue Coat is pretty strait forward. This is because you can configure rules on BC on the same way as it was done on TMG and can put same objects in rules exactly as it was on TMG. These objects are IP address or user groups, URLs, domains etc. as source and destinations, service (protocol) and action. Also rules are executed in top down manner which is very intuitive and good for TMG admins. This was one of main reasons for choosing Blue Coat as TMG proxy replacement solution in my company. For another part of solution, reverse proxy, there are also many products that can replace TMG and these products are on the market known mainly as ADC (Application delivery controllers) and WAFs (Web Application Firewalls). These products offer usually reverse proxy, WAF, load balancing functionalities in the same box and can replace and improve TMG function. In my opinion best products for this are F5 Big-IP and Citrix Netscaler.

Another solution for replacement is replacement with one product that has both functionalities in one box. But, after detailed examination I think that there is no product on the market which can replace TMG one to one of the way which can satisfy all customer needs. In every solution appears lack of some of features for example: caching, good reverse proxy feature, user preauthentication on the way TMG did that etc. Products on the marked claimed that can be replacement for all TMG functionalities are UTM (Unified threat management) solutions which are Foritnet, Sophos etc.

So, if you are considering UTM for TMG replacement make detailed analysis of features you want to have in your network and then make decisions. Also, UTM are more appropriate for small and middle business. For big enterprises I thing that only and best solution is replace TMG with separate proxy and reverse proxy products.

After this discussion about two possible solutions for TMG replacement I want to let you know that there is third solution possibility but less recommended that two describer earlier. This solution is use of some kind of hybrid solution with two products integrated in one box. There are two solutions of this type in the marker: F5 Big-IP solution whit Websense SWG software module in it. This is F5 product which covers revers proxy function whit addition of Websense software module for proxy functionality. Second solution of this type is Citrix Netscaler with Palo Alto software module as proxy. These hybrid products cover all TMG functionality but it can be comparable in price with case in which we use two separate products. I prefer using two separate products because you can put it on separate network segments: reverse proxy in your DMZ zone and proxy in internal network.

There was a brief discussion about TMG replacement and I hope that can be useful for companies who are considering this topic.